When connection is obtained, it will still verify that the server's certificate is trusted (issued by the Authority or signed by the Authority), as is the case with normal browser access, and if the server-side certificate is not trusted, the default implementation is problematic, in general, Java often reports an error when accessing SSL links:
Javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX Path Building failed: Sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target
At Com.sun.net.ssl.internal.ssl.Alerts.getSSLException (alerts.java:174)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal (sslsocketimpl.java:1591)
At Com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (handshaker.java:187)
At Com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (handshaker.java:181)
At Com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate (clienthandshaker.java:975)
At Com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage (clienthandshaker.java:123)
At Com.sun.net.ssl.internal.ssl.Handshaker.processLoop (handshaker.java:516)
At Com.sun.net.ssl.internal.ssl.Handshaker.process_record (handshaker.java:454)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (sslsocketimpl.java:884)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake (sslsocketimpl.java:1096)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake (sslsocketimpl.java:1123)
At Com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake (sslsocketimpl.java:1107)
At Sun.net.www.protocol.https.HttpsClient.afterConnect (httpsclient.java:405)
At Sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect ( abstractdelegatehttpsurlconnection.java:166)
At Sun.net.www.protocol.https.HttpsURLConnectionImpl.connect (httpsurlconnectionimpl.java:133)
At Com.wenhq.http.TestSSL.testAig (testssl.java:21)
At Com.wenhq.http.TestSSL.main (testssl.java:13)
caused By:sun.security.validator.ValidatorException:PKIX path building failed: Sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target
At Sun.security.validator.PKIXValidator.doBuild (pkixvalidator.java:285)
At Sun.security.validator.PKIXValidator.engineValidate (pkixvalidator.java:191)
At Sun.security.validator.Validator.validate (validator.java:218)
At Com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate (x509trustmanagerimpl.java:126)
At com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted (x509trustmanagerimpl.java:209)
At com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted (x509trustmanagerimpl.java:249)
At Com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate (clienthandshaker.java:954)
... More
caused By:sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to Requested target
At Sun.security.provider.certpath.SunCertPathBuilder.engineBuild (suncertpathbuilder.java:174)
At Java.security.cert.CertPathBuilder.build (certpathbuilder.java:238)
At Sun.security.validator.PKIXValidator.doBuild (pkixvalidator.java:280)
The reason is the exception that occurs when a trusted security certificate is missing.
When the client makes an SSL connection, Jsse determines whether to trust the server-side certificate based on the certificate in the file. In Sunjsse, there is a trust manager class responsible for deciding whether to trust the remote certificate, which has the following processing rules:
1) If the system attribute javax.net.sll.trustStore specifies the Truststore file, then trust manager will go to the lib/security/directory under the JRE installation path to look for and use this file to check the certificate.
2) If the system attribute does not specify the Truststore file, it will go to the JRE installation path to find the default Truststore file, the relative path of this file is: Lib/security/jssecacerts.
3) If Jssecacerts does not exist, but cacerts exists (it is released with J2SDK with a limited number of trusted basic certificates), then this default Truststore file is Lib/security/cacerts.
You can add trust certificates to Java in the following ways:
1. The CER format file that exports the certificate from the Chrome browser;
2. Import the CER certificate into the Java certificate Trust library
D:\Program files\java\jdk1.6.0_07\bin>keytool-import-keystore jssecacerts-file Purchase.cer-alias Purchase
Enter KeyStore Password: Changeit
Enter the new password again: Changeit
Keytool Usage Summary
3, put the generated jssecacerts file into the $javahome\jdk1.6.0_07\jre\lib\security directory can be.
Java Certificate: HTTPS vs. SSL